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Qj • Artin's braid groups have been recently suggested as a new source for 



public-key cryptography. In this paper we propose the first group signature 
schemes based on the conjugacy problem, decomposition problem and root 
problem in the braid groups which are believed to be hard problems. 
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: 1 Introduction 

, alternative to number-theoretic public-key cryptography. The birthdate of braid 



group based cryptography can be traced back to the pioneering work of Anshel et 



><| ■ al. in 1999 |2I and Ko et al. in 2000 Since then, braid groups have attracted 

the attention of many cryptographers due to the fact that, they provide a rich 
collection of hard problems like the conjugacy problem, braid decomposition problem 
and root problem and there are efficient algorithms for parameter generation and 
group operation [Sj. 

Since the construction of a Diffie-Hellman type key agreement protocol and a 
public key encryption scheme by Ko et al. in 2000 ^Hj, there have been many 
attempts to design other cryptographic protocols using braid groups. Positive results 
in this direction are a construction of pseudorandom number generator by Lee et al. 
in 2001 key agreement protocols by Anshel et al. in 2001 an implementation 
of braid computations by Cha et al. in 2001 0, digital signature schemes by Ko et 



al. in 2002 ^21, entity authentication schemes by Sibert et al. in 2002 [SB] and a 
provably-secure identification scheme by Kim et al. in 2004 [TT] . 

Digital signatures bind signers to the contents of the document they sign. Group 
signature schemes were introduced by Chaum and van Heyst [Zj to allow individual 
members of a group to sign messages on behalf of a group. Formally a group 
signature scheme has the following properties |7j: 

1. only members of the group can sign messages; 

2. the receiver of the signature can verify that it is a valid signature of the group, 
but cannot identify the signer; 

3. in case of a dispute at a later stage, the signature can be opened to reveal the 
identity of the signer. 

The salient features of group signatures make them attractive for many specialized 
applications, such as voting and bidding. More generally, group signatures can be 
used to conceal organizational structures, e.g., when a company or a government 
agency issues a signed statement. Group signatures can also be integrated with 
an electronic cash system whereby several banks can securely distribute anonymous 
and untraceable e-cash. 

Group signatures are generalization of credential mechanisms (jB]) and of mem- 
bership authentication schemes ( ^2], [20|), in which a group member can convince 
a verifier that he belongs to a certain group without revealing his identity. 

In this paper, we design some group signature schemes using braid groups. These 
are the first group signature schemes using braid groups. 

In Section 2, we briefiy review the basics of braid groups. We describe the initial 
system set up and some security assumptions needed for building up these signature 
schemes in Section 3. A group signature scheme whose security is based on the root 
problem is described in Section 4. In Section 5, we describe a group signature scheme 
that employ confirmation and denial protocols for identifying the actual signer. The 
security of this scheme is based on the root problem, conjugacy problem and its 
variants. A third group signature scheme whose security is based on the conjugacy 
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problem and its variants is described in Section 6. The paper concludes with some 
general remarks in Section 7. 

2 An Overview of Braid Groups 

In this section, we briefly describe the basics of braid groups, hard problems in 
braid groups. A good introduction to braid groups is |2] and survey articles on 
braid cryptography are [H], jH]. 

2.1 Geometric Interpretation of Braids 

A braid group Bn is an infinite non- commutative group arising from geometric braids 
composed of ra-strands. A braid is obtained by laying down a number of parallel 
strands and intertwining them so that they run in the same direction. The number of 
strands is called the braid index. Braids have the following geometric interpretation: 
an n-braid (where n G N) is a set of disjoint n strands all of which are attached 
to two horizontal bars at the top and bottom such that each strand always heads 
downwards as one moves along the strand from top to bottom. Two braids are 
equivalent if one can be deformed to the other continuously in the set of braids. 

Let Bn be the set of all n-braids. Bn has a natural group structure. Each Bn is 
an infinite torsion-free noncommutative group and its elements are called n-braids. 
The multiplication ab of two braids a and b is the braid obtained by positioning a 
on the top of b. The identity e is the braid consisting of n straight vertical strands 
and the inverse of a is the reflection of a with respect to a horizontal line. 

Let S„ be the symmetric group on n symbols. Given a braid a, the strands 
define a map p{a) from the top set of endpoints to the bottom set of endpoints. In 
this way we get a homomorphism p : Bn ^ Sn- 

2.2 Presentations of Braid Groups 

Any braid can be decomposed as a product of simple braids known as Artin gener- 
ators ai, that have a single crossing between the i*^ strand and the (i + 1)*^ strand 
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with the convention that the z*'* strand crosses under the {i + 1)*'' strand. The 
homomorphism, p maps the generator (Xj to the transposition Tj (= + 1)). 

For each integer n > 2, the n-braid group Bn has the Artin presentation by 
generators ai,a2, ■ ■ ■ , cfn-i with relations 

CTjCr,- = cr,cr,-, where \i — j\ > 2, and 

' ' ' ' - (2.2.1) 

o-iO-j+iCTj = cTi+iO-jai+i, for l<i <n-2. 
2.3 Some Special Classes of Braids 

Let denote the submonoid of 5„ generated by {ai, . . . , (t„-i}. Elements of B^ 
are called the positive braids. A positive braid is characterized by the fact that at 
each crossing the string going from left to right undercrosses the string going from 
right to left. 

A positive braid is called non-repeating if any two of its strands cross at most 
once. We denote D = Dn C B^ to be the set of all non-repeating braids. To each 
TT G S'n we can associate a unique a G Dn in the following way : for i = 1, . . . ,n 
connect the upper i-th point to the lower 7r(i)-th point by a straight line making 
each crossing positive, i.e. the line between i and 7r(i) is under the line between j 
and 7r(j) if z < j. The following lemma says that p restricted to Dn is a bijection. 

Lemma 2.1. /P/ The homomorphism p : Bn ^ Sn restricted to Dn is a bijection. 

Hence non-repeating braids are also known as permutation braids. From this 
lemma it follows that \Dn\ = n\. In this way we can identify Dn with Sn • 

Let LBn and RBn be two subgroups of Bn consisting of braids obtained by 
braiding left [|J strands and right n — [|J strands, respectively. That is, 

LBn = • • • , j-i), and RBn = {(Ji^i+i, . . . , an-i). 

Then we have the commutativity property that for any a G LBn and (3 G RBn, 
aj3 = Pa. These subgroups of Bn are used in designing various cryptographic 
protocols. 
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2.4 Canonical Decomposition of Braids 

For two words v and w in we say that v < w, ii w = avb for some a,h E B^. 
Then < is a partial order in Bn [Oj- 

The positive braid, A = (cti . . . o"n-i)(o"i • • • o"n-2) • • • (o"icr2)o"i is called the fun- 
damental braid. A braid satisfying e < A < A is called a canonical factor. There 
is a bijection between the set of all permutation braids and the set of all canonical 
factors p. Thus a canonical factor can be denoted by the corresponding permuta- 
tion TT G Sn. By tta, we mean the permutation corresponding to the fundamental 
braid A. 

For a positive braid P, we say that the decomposition P = AqPq is left-weighted 
if Ao is a canonical factor, Pq > e and Ao has the maximal word length among all 
such decompositions. A left-weighted decomposition P = AqPq is unique j3]. is 
called the maximal head of P. Any braid x can be uniquely decomposed as 

X = A^AiA2 . . . Ak, where uEZ,Ai^e,A, is a canonical factor (2.4.1) 

and the decomposition AiAi+i is left- weighted for each 1 < i < k — 1 This 
unique decomposition is called the left canonical form of x and so it solves the word 
problem. Since each canonical factor corresponds to a permutation braid, x can be 
denoted as 

X = 7rj7ri7r2 . . . vr^, where tt^ 7^ Identity, Hf. (2.4.2) 

Hence for implementation purposes the braid x can be represented as the tuple 
{u, TTi, 712, ... , TTfc)- The integer u, denoted by inf(x) is called the infimum of x and 
the integer u + k, denoted by sup(a;) is called the supremum of x. The canonical 
length of x, denoted by len(x), is given by /c = sup(a;) — inf (x). 

2.5 Hard Problems in Braid Groups 

We use the following hard problems in our signature schemes. 

1. Conjugacy Search Problem (CSP) 

Let {x, y) G Bn x Bn, such that y = a~^xa, where a G -B„ or some subgroup 
of Bn. The conjugacy search problem is to find a b such that y = b^^xb. 
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2. Multiple Simultaneous Conjugacy Search Problem (MSCSP) 

Let {xi, a~^Xia), . . . , {xr, a~^Xra) e S„ x S„ for some a e 5„ or some subgroup 
of Bn- The multiple simultaneous conjugacy problem is to find a b such that, 
b~^xib — a''^xia, . . . , b~^Xrb — a~^Xra. 

3. Braid Decomposition Problem (BDP) 

Let {x,y) & Bn x Bn, where y — a\xa2 for some (01,02) G LB^ x LB^. The 
braid decomposition problem is to find a pair (61,62) G LB^ x Li?„ such that 
y = 61x62- 

4. Multiple Simultaneous Braid Decomposition Problem (MSBDP) 

Let {xi^ 01X102) 1 ... ■,{Xr-.,aiX,f.a2) G Bn x i?„ for some (01,02) G x 

The multiple simultaneous braid decomposition problem is to find a pair (61 , 62) G 

LBn X LBn such that, 61X162 = 01X1O2, . . . , 61x^62 = 01x^02- 

5. Root Extraction Problem (RP) 

Let X = o^, where o, x G 5„ and p G N. Then the root problem (for the 
exponent p) is to find a braid b & B^ such that If — x. 

3 Preliminaries 

In this section, the initial system set up, intractability assumptions, some other 
assumptions and some notation used in this paper are given. 

3.1 Initial Setup 

The system parameters n and I are chosen to be sufficiently large positive integers 
and are made public. Since the braid group Bn is discrete and infinite, we cannot 
have a uniform probability distribution on Bn- But there are finitely many positive 
n-braids with / canonical factors, we may consider randomness for these braids. 
Such a braid can be generated by concatenating I random canonical factors. Let, 

B^{1) = {6 G 5„ I < m/(6) < sup{b) < I}, 
LBnil) = {6 G LBn I < inf(6) < sup(6) < 1} and 
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RBn{l) = {be RBn I < inf(6) < sup(6) < /}. 

Then |-Bn(/)| < /(n!)' and so LBn{l), RBn{l) and -B„(/) are finite sets. We use the 
random braid generator given in (which produces random braids in 0{ln) time) 
for generating random braids. Also, we consider uniform probabihty distribution on 
these sets. 

Let H : {0, 1}* Bn{l) be a colhsion free hash function. H can be constructed 
by composing a usual hash function of bit strings with a conversion from bit strings 
of fixed length to elements of Bn{l)- A way to construct this conversion function, 
c : {0, l}'^ Bnil) is given in [E]. 

3.2 Notations 

We use the following notations through out this paper. 

• By a Gr we mean a random choice of an element a from the set A. 

• By P V , we mean P sends Q to V . 

3.3 Group Manager 

Let T be a group manager, who chooses the private key of the group and creates 
the public key of the group. T also manages the members of the group. T is needed 
in identifying the actual signer in our first and third signature schemes. T is not 
needed in our second signature scheme. 

3.4 Intractability Assumptions 

We assume that the hard problems CSP, MSCSP, BDP, MSBDP, RP, stated in 
Section 2.5 are intractable in braid groups. However, we assume that the conjugacy 
decision problem given below is easy in braid groups. 

Let {x,y) G Bn x The conjugacy decision problem is to decide whether x 
and y are conjugates or not, that is to decide whether there exists an a G -B„ such 
that y = a~^xa or not. The conjugacy decision problem may be solved using the 
algorithm given in [T^ . 



7 



3.5 Some New Assumptions 

In this paper, we make two assumptions. The first assumption is similar to the EDL 
intractabihty assumption used in p^. The EDL (Equahty of Discrete Logarithms) 
intractabihty assumption can be stated as follows : given x,y Er G = (/) = {g), it 
is computationally infeasible to determine the equality of logj x and log^ y over Z„, 
where ord[g) = n. So we have our first assumption as 

Assumption 3.1. For {a,P) E Bn x Bn, let 

Fi3{a) = {{a, h) e Bn X Bn : a = afib}. 

Then, given two pairs of braids {a,P) and (7,5) in Bn x Bn, it is computationally 
infeasible to check whether Fj3{a) fl -^,5(7) ^ ^ or not. 

The second assumption is about cardinalities of certain sets, which may be stated 
as follows. 

Assumption 3.2. Let n, I be sufficiently large positive integers, a,/9,7 Gr Bn{l), 
ai, a2 LBn{l) and a RBn{l). Then the cardinality of the set 

EaiP,-f) = {bE RBn{l) : b-^ab = a'^aa, b'^pb ^ a'^pa} 

is bounded below by a non decreasing function p{n,l) of n and I. 

In this paper, we do not undertake any theoretical or numerical study to check 
the validity of the above assumptions. 

4 Group Signature Scheme 1 

In [2j Chaum et al. describe a group signature scheme using public-key systems. 
In this case the group manager T chooses a public key system, gives each person 
a list of secret keys (these lists are all disjunct) and publishes the complete list of 
corresponding public keys (in random order) in a Trusted Public Directory. Each 
person can sign a message with a secret key from his list, and the recipient can verify 
this signature with the corresponding public key from the public list. Each key will 
be used only once, otherwise the signature created with that key gets linked. T 

8 



knows all the list of secret keys, so that in case of a dispute, he can identify the 
signer. Hence T is needed for the setup and for opening of the signature. 

We can adopt this group signature scheme directly to the braid group frame work 
as follows : T chooses a set E of braids and raises them to the p^^ power, where p 
is an integer greater than 1. Each person is given a list of braids from E (these lists 
are all disjunct) and the complete list of p^'^ powers of elements of E (in random 
order) is published in a Trusted Public Directory. To sign a message m, a group 
member chooses a braid a from his list and forms the signature — (y.H{m). The 
recipient can verify this signature by computing {SmH{m)^^Y ^^'^ checking it with 
the corresponding public key in the Trusted Public Directory. Each key will be used 
only once. T knows all the list of secret keys, so that in case of a dispute, he can 
identify the signer. 

A problem with this scheme is that the group manager knows all the secret keys 
of the group members and can therefore also create signatures. This problem can 
be overcome by making each user to untraceably send one (or more) public keys to 
a public list, which will be the public key of the group. But it has to be ensured 
that only the group members will be able to send public keys to that list. 

Although, the scheme is very elegant it has the obvious disadvantage that a 
key can be used only once. However, we can trivially see that the security of this 
scheme is equivalent to solving the root problem. Hence this group signature scheme 
is highly secure. This is the only cryptographic scheme on braid groups whose 
security depends solely on the root problem (RP). 

5 Group Signature Scheme 2 

In this section, wc describe a group signature scheme which does not involve a group 
manager. The security of the scheme is based on the hardness of BDP, MSCSP 
and RP. Here the recipient of the signature can easily check whether the signature 
has come from a particular group or not. But the identity of the signer can not be 
verified unless the verifier engages in an interactive protocol with the signer as in 
the case of undeniable signatures. 
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5.1 Key Generation 

Let G be a group with k members Pi, P2, ■ ■ ■ , Pk- The members of the group agree 
on a secret braid a G Bn{l). /5 = is pubhshed as the pubhc key of the group. 
Also, each member Pi of the group chooses {ui,Vi) G LBn{l) x LBn{l) as his secret 
key. In this case, the pubhc key of Pi is Xj = u~^l3vi. 

We shall denote by PK the tuples {xi}^) generated as above. 

5.2 Signature Generation 

Let m be the message to be signed. Suppose Pi wants to sign m. He computes the 
signature Sm = u^^y^^a'^yui, where y = H{m). 

We shall denote by SIG{m), the set of valid signatures on m. 

5.3 Confirming the Group Identity of the Signature 

Given an alleged signature Sm, suppose that a verifier V wants to check whether 
it is a valid signature from the group G. V computes 5*^ and checks whether it is 
conjugate to (3 using the algorithm described in [T^ . 

Note that S*^ = u^^y"^ (3yUi. Hence if S^. is a valid signature of a member of G, 
then S"^ is conjugate to /?. 

5.4 Confirmation Protocol 

Suppose that a signer Pi claims that a signature Sm was made by him. Then a 
verifier V first checks the group identity of the signature using the above protocol 
and then verifies the claim of Pi by engaging in an interactive confirmation protocol 
with him. Let us denote the prover Pi by P. When Sm is a valid signature of m by 
P, he will be able to convince V of this fact, while if the signature is invalid then no 
prover even if he is computationally unbounded will be able to convince V to the 
contrary except with a negligible probability. 
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Signature Confirmation Protocol 



Input : Prover: Secret keys {a,Ui,Vi). 

Verifier: Public key {xjjj^i) and alleged Sm- 

1. V chooses a RBn{l), computes Q — a~^{SjnYxia and V P. 

2. P chooses 6, c Bn{l), computes R — buiQv^ c and P ^ V. 

3. V ^ P. 

4. P Checks the value of Q and then P y. 

5. y verifies that it! = ha~^y~^l3yl3ac. 

If equality holds then V accepts as the signature on m, otherwise "undeter- 
mined" . 

Theorem 5.1. Confirmation Theorem. Let {(^■,{xi}\) G PK. 
Completeness; Given Sm e SIG{m), if P follows the signature confirmation pro- 
tocol then V always accepts as a valid signature. 

Soundness; A Cheating prover P* even computationally unbounded cannot con- 
vince V to accept Sm ^ SIG{m) with probability greater than ^(^• 

Proof. Completeness: Let Sm be a valid signature. P computes 

R — b{uiQv~^)c — b{uia~^ (Sm)^ Xiav~^)c — ba~^{y~^PyP)ac. 

which V verifies after getting (6, c) from P and accepts the signature as valid. Hence 
the protocol is complete. 

Soundness: The idea is that there are many values of a which give the same value 
for the challenge Q and different values for the response R and a cheating prover 
P* has no way to distinguish between these different values of a, even if he has 
infinite computational power. That is, from Assumption 3.2, there are at least 
p{ri,l) choices, for a e RBn{l) which give the same value of Q but giving different 
values of R. Hence it is infeasible for a cheating prover P* to distinguish between 
these different values of a, even if he has infinite computational power. Therefore a 
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cheating prover P*, even computationally unbounded, cannot convince V to accept 
Sm ^ SIG{m) with probability greater than Thus the protocol is sound. □ 

Remark 5.1. A closer examination of the protocol reveals that it has the zero- 
knowledgeness property also (see\2f^}. 

5.5 Disavowal Protocol 

If Pi wants to prove to V that Sm is not his signature on m, he engages in a disavowal 
protocol with V. As in the case of confirmation protocol, we denote Pi by P. In 
the case that Sm is not a valid signature, P will be able to convince V of this fact, 
while if Sm is a valid signature of P on m, even if he is computationally unbounded 
he will not be able to convince V that the signature is invalid except with negligible 
probability. 

Disavowal Protocol 

Input : Prover : Secret keys {a,Ui,Vi). 

Verifier : Public key {/3, {xj}^) G PK, y and alleged Sm- 

1. V chooses a, b RBn{l) such that a and b commute and computes 
Qi = a~^{SmYxia, Q2 = b~^{SmYxib and V ''^-l^^^ p. 

2. P computes the response Ri = UiQiv~^, R2 = UiQ2V~^ and P ^^^1^^ y. 

3. V verifies that b-^{Ri(3~^)b = a-~\R2P~^)a. 

If equality holds V accepts Sm as an invalid signature. Otherwise P is answering 
improperly. 

Theorem 5.2. Denial Theorem Let {jS, {xij^) G PK. 

Completeness.- Suppose that Sm 4- SlG(rri). If P and V follow the protocol, then 
V always accepts that Sm is not a valid signature of m. 

Soundness.- Suppose that Sm G SIG{m). Then a cheating prover, even computa- 
tionally unbounded, cannot convince V to reject the signature with probability greater 
than -r-n. 
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Proof. Completeness: Assume that Sm ^ SIG{m). We have, 



Ri = uia ^{Srnfxiavl 
R2 = Uih'^{Smfxihvl 



-1 




Therefore, 



h ^Rib = a ^R2a = a ^{ui{Smf'u^^ (3)ha. 



Hence the protocol is complete. 

Soundness: Assume that Sm G SIG{m). Let Ri and R2 be the responses given by 



P* in the protocol. Let if possible, h R\h = a R2a. Then 

i?2 = a{b^^Rib)a^^ = aPa'-^, where 7 = b~^Rib. 

In the worst case, we may regard 7 as a known constant for P when he tries to 
determine R2. But then the ability to determine R2 amounts to the establishment of 
an invalid signature, which contradicts Theorem 5.1 (soundness of the confirmation 
protocol). Hence the protocol is sound. □ 

Remark 5.2. For the ease of analysis, the disavowal protocol was given in a non 
zero-knowledge fashion. However, zero-knowledge versions of the disavowal protocol 
can also be constructed in a similar manner (see JEBj)- 

6 Group Signature Scheme 3 

In this section, we describe another group signature scheme. This scheme is given 
in the usual frame work of group signature schemes as described in |19J. The secu- 
rity of the scheme is based on the hardnes of CSP, MSCSP and MSBDP. Here 
the recipient of the signature can easily verify the group identity of the signature. 
However, if a dispute occurs the group manager can open the signature and identify 
the signer. 

6.1 Setup 

The group manager T chooses a secret braid s &r LBn{l), ki,k2 Er RBn{l), and 
a Er Bn{l) and pubhshes x = s~^as as the pubhc key of the group. 
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6.2 Join 

Suppose now that a user P wants to join the group. We assume that the communi- 
cation between a group member and T is secure, that is private and authentic. 

The following protocol is performed between the user P and the Trusted Au- 
thority T. 

1. T ^ P. 

2. P chooses u , a LBn{l) computes v — u''^au, w — a~^ua and 
P^^T 

3. T computes Zi — k^^wki, z-i — kl^^wki and T p. 

4. P computes /3i = az\ar^ and (^2 = az2ar^ ■ 

Consequently, at the end of the protocol, T creates a new entry in the group database 
with V as the public key of the member P. 

6.3 Sign 

Let m be the message which has to be signed. Suppose that the group member P 
wants to sign m. He computes = s~^ys and S2 — s~^Pi'^y(32S, where y = H{m). 
Signature is the pair Sm = {Si, ^'2). 

6.4 Verify 

A recipient of the signature after getting Sm, checks whether 5*1 is conjugate to y to 
check whether Sm is a valid signature of y or not. 

To check the group identity of the signature, V checks whether SiX is conjugate 
to ya. If it holds, V accepts Sm as a signature from the group G. 

6.5 Open 

In case of a dispute, the group manager can identify the signer of the signature 
Sm = (5'i,5'2) in the following way. He first computes S^ = fci 55*28"^ /c^^. Now 
he can find out whether P is the signer by checking whether 5*3^ is conjugate to 
kiyk2^a or not. If it holds, the signature was made by P. 
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6.6 Security Analysis 

In this section we will show that this group signature scheme satisfies some of the 
properties of for an ideal group signature. 

1. Unforgeability: Since to sign on behalf of the group, one should know the 

secret key s, only group members can sign on behalf of the group. However, 
an attacker gets several pairs of braids and its conjugates by s. Hence under 
the assumption that multiple simultaneous conjugacy decomposition problem 
(MSCDP) is hard in braid groups an attacker cannot get s and the signature 
scheme stands unforgeable. 

Remcirk 6.1. We may make our scheme more secure by avoiding an attack 
on MSCDP in the following way : the group manager chooses si, S2 &r LBn{l) 

instead of s Er LBnil). He makes the group public key as S2^asi. Now, 
given a message m the signer computes the signature as Sm = {Si = s1^ys2, 
S2 — siPi^yP2S2)- The protocols for verification and opening the signature 
can be rewritten in a similar way. 

2. Unlinkability: Let mi and m2 be two messages signed by the group members. 

Let yi = H{rni) and y2 = H{rn2). Let Sm-^ = {Sl,Sl) and Sm2 = 
Now, the problem of linking Sm^ and Sm2 reduces to deciding whether 5*2 and 
S2 are linked or not. Now, 5*2 = s~^Pi^yij32S and S"! = s~^/?j~^y2/92'S- Hence 
deciding whether ^'2 and 5"! are linked or not reduces to checking whether the 
pairs (^'2, yi) and (yS"!, ^2) have the same factors or not. Now, this is infeasible 
by Assumption 3.1. Hence the signature scheme is unlinkable. 

3. Anonymity: Given a group signature, to identify the actual signer is compu- 
tationally hard to do for everyone but the group manager. Consider a signature 
on m by P. Let Sm = {Si,S2). Now 5*2 = s^^{ki^u~^ki)y(k2^uk2)s and in 
order to show that the signature belongs to P, a group member has to prove 
that {kisS2S~^k2^)v is conjugate to kiyk2^a. There is no apparent way of 
proving the identity of the signer other than by getting the private keys of the 
signer or that of the Trusted Authority. But any group member can compute 
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sS2S~^ = {ki^u~^ ki)y{k2^uk2) . Now, the only way for a group member P with 
secret key v to find out the identity of the signer is to get the value of ki and 
k2 from k^^vki and k2^vk2 which he obtained from the group manger. But 
this amounts to solving a conjugacy search problem and by assumption the 
conjugacy search problem is hard. Hence the signature scheme is anonymous. 

4. Exculpability : The group manager does not get any information about 

a group member's secret key u as well as signing keys ki^uki and /c^^m/c2. 
The values of u as well k^^uki and A;^^mA;2 are computationally hidden from 
the group manager because of the protocols involved in the Join session of 
the member P. Hence the group manager cannot sign on behalf of a group 
member. Similarly, any group member cannot sign on behalf of any other 
member. Hence exculpability holds. 

5. Traceability: Assume that the signature Sm — {81,82) on the message m 
was made by P. Now the group manager can compute 

S2,v — {kisS2S~^k2^)v — {kis{s~^ (5'^^y(52s)s~^k2^){u'^au) 

= {kiPi'^yP2k2^){u^^au) = {ki{ki^u^^ki)y{k2'^uk2)k2^){u^^au) 
— u~^kiyk2^au. 

Hence 5*3^ is conjugate to kiyk^^a. Thus, the group manager can open any 
valid group signature and identify the actual signer. Hence the signature is 
traceable. 

7 Concluding Remarks 

In this paper, wc constructed three group signature schemes based on some hard 
problems in braid groups. Our schemes are the first in this direction using braid 
groups. It is open to use other hard problems in braid groups for designing more 
group signature schemes and other cryptographic protocols. 

The first signature scheme has the property that its security is entirely depending 
on the root problem. This is the only cryptographic scheme on braid groups whose 
security is solely depending on the root problem. Root problem is believed to be 
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harder than the conjugacy and decomposition problems. Hence we may beheve that 
this scheme is the most secure one. The second scheme combines the notion of 
undeniable signatures with group signatures. Our third scheme is set in the usual 
frame work of group signatures. 

The problem of checking the equality of factors in a 3-factor decomposition of 
two given braids with the middle factors known is employed in Assumption 3.1. We 
leave this assumption as well as Assumption 3.2 for further investigation. The first 
step in the investigation of the second assumption may be to the estimate of number 
of conjugates of a random element which are equal. Numerical experiments might 
throw some light on these assumptions. 

The birth of braid cryptography has simulated the search for other exotic math- 
ematical structures for doing public-key cryptography. People have started looking 
at other nonabelian groups I^Sl, plj; [Hj; [IHI and combinatorial groups 
for building public-key cryptosystems. Although, we have described our schemes 
in the frame work of braid groups, these protocols can be carried over to many 
other nonabelian groups with slight modifications. Further, one can modify these 
protocols to other variations of group signatures like, the ring signatures and un- 
deniable group signatures discussed in Section 1. Hence, we hope that this study 
will motivate further research on digital signatures based on nonabelian groups and 
combinatorial groups. 
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